Re: [exim] Failing for DNSSEC lookup

Top Page
Delete this message
Reply to this message
Author: Christian Eyrich
Date:  
To: exim-users
Subject: Re: [exim] Failing for DNSSEC lookup
Am 20.03.2022 um 22:28 schrieb Viktor Dukhovni via Exim-users:

> Even if the local (unbound) resolver performs DNSSEC validation and
> signals a secure result via the "AD" bit in the DNS reply, a
> sufficiently recent "glibc" will suppress the AD bit unless
> /etc/resolv.conf sets "trust-ad" resolver option:
> 
>      https://github.com/NLnetLabs/dnssec-trigger/issues/5#issuecomment-799847737
> 
> The most likely problem is that this is not set in your
> /etc/resolv.conf file.


You nailed it, Viktor. It’s working now. Thank you very much.

And now I know that I was right that it worked in the past and why:
Debian Buster used glibc 2.28.

> Note that you should not trust the "AD" bit from *remote* nameservers
> whose replies to your libc stub resolver traverse insecure networks.
> In practice this means that /etc/resolv.conf MUST ONLY contain the
> 127.0.0.1 and/or ::1 nameserver addresses.


That’s no problem. My local unbound does do all the DNS resolution on
its own and 127.0.0.1 is the only entry in resolv.conf

Best regards,
Christian